Camunda: Authorizations by Group via REST
Camunda allows users to authorize access to the certain Tasks and BPMN flows. An Authorization assigns a set of Permissions to a Group of users to interact with a given BPMN.
Introduction
In this blog I will document the different permission I set as part of a project involving Insurance users , with different levels of access.
I set my permissions using REST APIs. Here is a great link , that details all the endpoints.
Application Authorization
Firstly we need to give users the access rights to view Tasklist, within Camunda.
POST the following payload:
{
"type": 1,
"permissions": [
"ACCESS"
],
"userId": null,
"groupId": "adjuster",
"resourceType": 0,
"resourceId": "tasklist"
}
Endpoint: http://localhost:8181/engine-rest/authorization/create
Create Groups
In order to create groups, use the POST method to request the following payload :
{
"id": "adjuster",
"name": "Desk Adjuster",
"type": "WORKFLOW"
}
Endpoint: http://localhost:8181/engine-rest/group/create
Assign User to Group
PUT the users ID as a parameter along with the unique group ID used above
Endpoint: http://localhost:8181/group/{id}/members/{userId}
Process Instance Authorization (Interact with BPMN)
Here the goal is to specify which resource the user may interact with. This is done by specifying the resourceType:

{
"type": 1,
"permissions": [
"READ",
"UPDATE",
"CREATE",
"UPDATE_VARIABLE"
],
"userId": null,
"groupId": "adjuster",
"resourceType": 8,
"resourceId": "*"
}
In order to give users in group adjuster, the rights to interact with BPMN process instances , use the POST method to request the above payload.
Process Definition
This permission refers to giving users access to a particular BPMN flow. A common use case would be to restrict a User Task from to certain users.
Unfortunately this cannot be done of the activity level. This is done by isolating the User Task activity in its own BPMN flow. The unique ID of this BPMN flow is then used.
In order to assign group permissions to a BPMN flow, use the POST method to request the following payload :
{
"type": 1,
"permissions": [
"READ",
"UPDATE",
"READ_TASK",
"UPDATE_TASK",
"CREATE_INSTANCE",
"READ_INSTANCE",
"UPDATE_INSTANCE",
"READ_HISTORY",
"TASK_WORK",
"TASK_ASSIGN",
"SUSPEND",
"UPDATE_INSTANCE_VARIABLE",
"UPDATE_TASK_VARIABLE",
"READ_INSTANCE_VARIABLE",
"READ_HISTORY_VARIABLE",
"READ_TASK_VARIABLE"
],
"userId": null,
"groupId": "adjuster",
"resourceType": 6,
"resourceId": "BPMN_ID"
}
Once the above is completed , it is necessary to make sure that the Camunda filters are set so that the user can view the User Tasks.
Under criteria you should state the BPMN IDs used in the process definition authorization.

Thank you for reading! Feel free to make any other suggestions or recommendations for future challenges. Leave a few claps if it helped!